I want to use a ddns address instead of a IP address for port forward source address in firewall NAT,
when I use a ddns address it converts it to an IP but it never updates it to the current IP address
I think its very possible if you use the mikrotik cloud version, not sure how to accomplish via dyndns org or similar???
I’m talking about using in the port forwarding were you can restrict source IP addresses that can connect instead of using an IP address I want to use an FQDN
Hmm, I restrict by IP address, not sure about FQDN?.
I believe exact hostnames are allowed in address lists.
when I use a FQDN in address lists when I click okay it resolves it to a IP address but it never updates it
This works:
/ip firewall address-list
add address=www.example.net list=allowed_ip
… unless you have very old RouterOS.
everything is up to date how do I do that in winbox do I have to run commands can you give me a step-by-step
The same works in WinBox too. Go to Address List tab, add new item, put name of list in “Name” field, FQDN in “Address”, click OK and that’s it.
when I do that and I click okay and then click edit it displays the IP address of the FQDN, the question is if the FQDN IP address changes will the IP address update, because when I did it on the NAT page Source IP address FQDN it never updated the IP
Are you sure you’re trying to use address list?
I’m talking about this menu exactly the second picture with the arrow will the IP address under the FQDN update from time to time when the IP address changes because when you do it from NAT menu Source address and when you use over there a FQDN it fills in the IP address automatically but it never updates when the FQDN changes IP
But that’s the thing, you can’t use FQDNs with individual firewall rules, it doesn’t work there. You need to create address list and then use that instead. So instead of using src-address=, you make a list and use src-address-list=.
I just tested fqdn in address list and i change the IP and it updated instantly thanks for all your help
since my ISP on the source IP location has a long lease time and turning off the modem doesn’t give me a new IP I couldn’t test it to see if it will update the IP but I found an app that I can manually update the IP in my DDNS account and the second I did it address list updated the ip of the FQDN I needed to make sure that this works because accounting uses it every week to make payroll
Nice feature if the source address changes (not static)!
Best to have outside sources vpn in but not always possible.
they are a outside bookkeeping firm only needing access to one employee fingerprint machine and they have their own IT so I don’t have access to the client machine to setup a VPN they just punch in our static public IP with the device port in the fingerprint server software so I just restrict the port forwarding to their DDNS since they are on a dynamic IP
Two things:
How fast it updates depends on record’s TTL. DDNS probably uses something short. You can check it e.g. here: https://mxtoolbox.com/DNSLookup.aspx
It’s up to you to decide how sensitive stuff we’re talking about, but employee fingerprint machine sounds like something that would deserve better security, VPN would be much better choice. This source address based solution protects again random people on internet, but not against more serious attacker (e.g. someone who could get in your ISP’s network), and does not prevent anyone on the way between you and the other party from seeing all data flowing between you.
it’s nothing that serious just a bunch of punch in and out logs but I’m looking into VPN
That depends…
If the information is valuable in of itself it should be protected. If fingerprints are involved and they were mine I would be really keen on better security.
If the logging information was valuable ditto (in other words, I dont get paid because the logs were hacked and dont exist I would be really keen on better security)
If the devices themselves and the information were hacked and destroyed, how long would this affect company business… What would the real costs be??
I think you start to see the drift of the discussion, what one perceives and what actual value there is when considering actual outcomes of hacking may seriously differ…
Be it for $$ value hacking or malicious destructive hacking (for any business) VPN is the right path.
I personally recommend IKEv2 as recently and so eloquently described in a practical presentation.
https://mum.mikrotik.com/presentations/MY19/presentation_7008_1560543676.pdf